TrueNAS | Enterprise Security Responses
Component | Description | Security Reference | Severity | Security Risk | Impacted Version | Resolved Version | More Info | Additional Info |
---|---|---|---|---|---|---|---|---|
openssh | A critical security vulnerability has been discovered in OpenSSH implementations on FreeBSD systems, potentially allowing attackers to execute remote code without authentication. The vulnerability, identified as CVE-2024-7589, affects all supported versions of FreeBSD. | CVE-2024-7589 | High | None | CORE-13.0-U5.3 | N/A False Positive | Link | The OpenSSH in TrueNAS is not built with the vulnerable feature enabled. TrueNAS is not vulnerable to this issue. |
openssh | A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. | CVE-2024-6387 | High | High | CORE-13.0-U5.3 | CORE-13.0-U6.2 | Link | |
py39-configobj-5.0.6_1 | All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. | CVE-2023-26112 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Only exploitable by privlidged local user who already has full access to the system. |
git-lite-2.34.1 | Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. | CVE-2022-39260 | High | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue |
git-lite-2.34.1 | Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. | CVE-2022-39253 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue |
git | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. | CVE-2023-29007 | High | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Git is not exposed to TrueNAS users in a manner which makes this exploitable. |
git | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. | CVE-2023-25652 | High | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Git is not exposed to TrueNAS users in a manner which makes this exploitable. |
py39-beaker-1.11.0 is vulnerable | The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. | CVE-2013-7489 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | Only exploitable by privlidged local user who already has full access to the system. |
minio-2021.12.27.07.23.18_1 | MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. | CVE-2022-24842 | High | Critical | CORE-13.0-U5.3 | Not yet resolved | Link | Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
minio-2021.12.27.07.23.18_1 | MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. | CVE-2023-28432 | High | Critical | CORE-13.0-U5.3 | Not yet resolved | Link | Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
minio-2021.12.27.07.23.18_1 | Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off` | CVE-2023-28434 | High | Critical | CORE-13.0-U5.3 | Not yet resolved | Link | Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
libxml2-2.9.12 | An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). | CVE-2023-29469 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
libxml2-2.9.12 | In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. | CVE-2023-28484 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
squashfs-tools-4.3_1 | Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. | CVE-2015-4645 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
pixman-0.40.0_1 | In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. | CVE-2022-44638 | High | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
py39-sentry-sdk-1.4.3 | Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. | CVE-2023-28117 | Medium | False Positive | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS does not use Sentry SDK with Django so this doesn’t apply. |
py39-cryptography-3.3.2 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. | CVE-2023-0286 | High | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
py39-cryptography-3.3.2 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. | CVE-2023-23931 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
py39-setuptools-57.0.0 | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | CVE-2022-40897 | Medium | Low | CORE-13.0-U5.3 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
TrueNAS middleware | A vulnerability involving python deserialization, CVE-2020-22083, was found. | CVE-2020-22083 | Medium | Medium | CORE-13.0-U6.2 | CORE-13.0-U6.3 | Link | TrueNAS assessment: exploitable by a local user |
TrueNAS iocage | A vulnerability involving iocage updates was found. | CVE-2020-22083 | High | High | CORE-13.0-U6.2 | partial fix in CORE-13.0-U6.3 | Link | TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
TrueNAS middleware | A vulnerability involving python deserialization, CVE-2020-22083, was found. | NAS-132268 | Medium | Medium | CORE-13.3 | CORE-13.3-U1 | Link | TrueNAS assessment: exploitable by a local user |
TrueNAS middleware | A vulnerability involving iocage updates was found. | CVE-2024-11944 | High | High | CORE-13.3 | CORE-13.3-U1 | Link | TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
TrueNAS iocage | A vulnerability involving iocage updates was found. | CVE-2024-11946 | High | High | CORE-13.3 | partial fix in CORE-13.3-U1 | Link | TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
rsync-3.2.7 | Heap-buffer overflow in Rsync due to improper checksum length handling | CVE-2024-12084 | High | High | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Information leak via uninitialized stack contents | CVE-2024-12085 | Medium | Medium | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Rsync server leaks arbitrary client files | CVE-2024-12086 | Medium | Medium | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Path traversal vulnerability in Rsync | CVE-2024-12087 | Medium | Medium | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | --safe-links option bypass leads to path traversal | CVE-2024-12088 | Medium | Medium | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Race condition in Rsync when handling symbolic links | CVE-2024-12747 | Medium | Medium | CORE-13.0 | CORE-13.0-U6.6 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Heap-buffer overflow in Rsync due to improper checksum length handling | CVE-2024-12084 | High | High | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Information leak via uninitialized stack contents | CVE-2024-12085 | Medium | Medium | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Rsync server leaks arbitrary client files | CVE-2024-12086 | Medium | Medium | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Path traversal vulnerability in Rsync | CVE-2024-12087 | Medium | Medium | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | --safe-links option bypass leads to path traversal | CVE-2024-12088 | Medium | Medium | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
rsync-3.2.7 | Race condition in Rsync when handling symbolic links | CVE-2024-12747 | Medium | Medium | CORE-13.3 | CORE-13.3-U2 | Link | TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
openssh | A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. | CVE-2024-6387 | High | High | 24.04.0 | 24.04.2 | Link | |
github.com/bits-and-blooms/bloom/v3 (v3.0.1) | Uncontrolled Search Path Element in GitHub repository bits-and-blooms/bloom prior to 3.3.1. | CVE-2023-0247 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
github.com/containerd/containerd (1.6.6 & 1.5.7) | containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. | CVE-2023-25153 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.6.6 1.5.7) | containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. | CVE-2023-25173 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.6.6 1.5.7) | containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. | CVE-2022-23471 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.5.7) | containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. | CVE-2022-23648 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.5.7) | containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. | CVE-2022-31030 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.5.7) | The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. | CVE-2021-41190 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/containerd/containerd (1.5.7) | containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. | CVE-2021-43816 | Critical | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/minio/console (0.12.5) | Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. | CVE-2023-33955 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
k8s.io/apiserver (v0.22.5 & v0.24.2) | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | CVE-2020-8561 | Medium | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/coredns/coredns (1.4.0) | A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of <service>.<namespace>.svc. | CVE-2022-2835 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
github.com/coredns/coredns (1.4.0) | A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. | CVE-2022-2837 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
github.com/opencontainers/image-spec (1.0.1) | The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. | CVE-2021-41190 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) | runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. | CVE-2023-25809 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) | runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. | CVE-2023-27561 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) | runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. | CVE-2023-28642 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/opencontainers/runc (v1.0.2) | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. | CVE-2022-29162 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/opencontainers/runc (v1.0.2) | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. | CVE-2021-43784 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/prometheus/client_golang (v1.10.0 & v1.11.0 & v1.7.1) | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. | CVE-2022-21698 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/rancher/wrangler (v1.0.0) | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. | CVE-2022-31249 | Critical | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
github.com/rancher/wrangler (v1.0.0) | A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. | CVE-2022-43756 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
golang.org/x/text (v0.3.6 & v0.3.7) | An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | CVE-2022-32149 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
golang.org/x/text (v0.3.6) | golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. | CVE-2021-38561 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
go.mongodb.org/mongo-driver (v1.4.6) | Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. | CVE-2021-20329 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
busybox (1:1.30.1-6+b3) | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | High | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
busybox (1:1.30.1-6+b3) | Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | CVE-2018-1000500 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
git (1:2.39.2-1~bpo11+1) | Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. | CVE-2020-5260 | High | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
gnupg (2.2.27-2+deb11u2) | GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. | CVE-2022-3219 | Low | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | IXassessment : low risk and no fix expected from upstream |
gnupg (2.2.27-2+deb11u2) | A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. | CVE-2022-3515 | Critical | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
helm (3.9.4-1) | Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. | CVE-2023-25165 | Medium | Medium | 22.12.4 | Cobia 23.10-BETA.1 | Link | Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
helm (3.9.4-1) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. | CVE-2022-23524 | High | Medium | 22.12.4 | Cobia 23.10-BETA.1 | Link | Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
helm (3.9.4-1) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. | CVE-2022-23525 | High | Medium | 22.12.4 | Cobia 23.10-BETA.1 | Link | Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
helm (3.9.4-1) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. | CVE-2022-23526 | High | Medium | 22.12.4 | Cobia 23.10-BETA.1 | Link | Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
openssl (1.1.1t-001+deb11u4) | Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. | CVE-2023-2650 | Medium | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. |
perl (5.32.1-4+deb11u2) | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | CVE-2023-31486 | High | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
rsyslog (8.2102.0-2+deb11u1) | rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron. | CVE-2015-3243 | Medium | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
busybox (1:1.30.1-6+b3) | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | Critical | Low | 22.12.4 | Cobia 23.10-BETA.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
haproxy (2.6.12-1~bpo11+1) | HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. | CVE-2023-40225 | High | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
perl (5.32.1-4+deb11u2) | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | Low | 22.12.4 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
openssl (3.0.9-2) | Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. | CVE-2023-4807 | High | False Positive | 22.12.4 | N/A - False Positive | Link | Only applicable to Windows operating systems - False positive |
samba (2:4.17.11+ix-1) | smbd allows client access to unix domain sockets on the file system. | CVE-2023-3931 | Medium | Critical | 22.12.4 | 22.12.4.1 | Link | Exploitable, action recommended: upgrade to 22.12.4.1 |
samba (2:4.17.11+ix-1) | Samba AD DC password exposure to privileged users and RODCs | CVE-2023-4154 | High | Low | 22.12.4 | 22.12.4.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
samba (2:4.17.11+ix-1) | SMB clients can truncate files with read-only permissions | CVE-2023-4091 | Medium | Low | 22.12.4 | 22.12.4.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
samba (2:4.17.11+ix-1) | "rpcecho" development server allows Denial of Service via sleep() call on AD DC | CVE-2023-42669 | Medium | Low | 22.12.4 | 22.12.4.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
samba (2:4.17.11+ix-1) | Samba AD DC Busy RPC multiple listener DoS | CVE-2023-42670 | Medium | Low | 22.12.4 | 22.12.4.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
k8s.io/apiserver (v0.27.2) | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | CVE-2020-8561 | Medium | Low | 23.10.0 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | Low | 23.10.0 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
google.golang.org/grpc (v1.40.0) | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. | CVE-2023-32731 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Medium | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
github.com/rclone/rclone (v1.63.0) | n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. | CVE-2018-12907 | High | False Positive | 23.10.0 | N/A False Positive | Link | TrueNAS SCALE does not support cloud to cloud sync, not exposed |
busybox (1:1.35.0-4+b3) | An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. | CVE-2019-5747 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. | CVE-2018-1000517 | Critical | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. | CVE-2018-20679 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. | CVE-2017-16544 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. | CVE-2016-2147 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. | CVE-2016-2148 | Critical | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. | CVE-2016-6301 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. | CVE-2015-9261 | Medium | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. | CVE-2014-9645 | Medium | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. | CVE-2013-1813 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. | CVE-2011-2716 | Medium | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. | CVE-2011-5325 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | High | False Positive | 23.10.0 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | High | Low | 23.10.0 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
haproxy (2.6.12-1) | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | CVE-2023-40225 | High | Low | 23.10.0 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
openssl (3.0.9-2) | Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. | CVE-2023-3817 | Medium | Low | 23.10.0 | 23.10.1 | Link | TrueNAS assessment: only exploitable by a privileged user |
perl (5.36.0-7) | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | Low | 23.10.0 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
perl (5.36.0-7) | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | CVE-2023-31486 | High | Low | 23.10.0 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
openssl (3.0.9-2) | Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. | CVE-2023-4807 | High | False Positive | 23.10.0 | N/A False Positive | Link | Only applicable to windows operating systems - False positive |
k8s.io/apiserver (v0.27.2) | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | CVE-2020-8561 | Medium | Low | 23.10.1 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | Low | 23.10.1 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | Low | 23.10.1 | Not yet resolved | Link | TrueNAS assessment: minor issue, no advisory. |
google.golang.org/grpc (v1.40.0) | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. | CVE-2023-32731 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
google.golang.org/protobuf (v1.30, v 1.28 & v1.28.1) | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Medium | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
github.com/rclone/rclone (v1.63.0) | n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. | CVE-2018-12907 | High | False Positive | 23.10.1 | N/A False Positive | Link | TrueNAS SCALE does not support cloud to cloud sync, not exposed |
busybox (1:1.35.0-4+b3) | An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. | CVE-2019-5747 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. | CVE-2018-1000517 | Critical | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. | CVE-2018-20679 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. | CVE-2017-16544 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. | CVE-2016-2147 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. | CVE-2016-2148 | Critical | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. | CVE-2016-6301 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. | CVE-2015-9261 | Medium | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. | CVE-2014-9645 | Medium | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. | CVE-2013-1813 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. | CVE-2011-2716 | Medium | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. | CVE-2011-5325 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | High | False Positive | 23.10.1 | N/A False Positive | Link | Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
busybox (1:1.35.0-4+b3) | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | High | Low | 23.10.1 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
haproxy (2.6.12-1) | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | CVE-2023-40225 | High | Low | 23.10.1 | Not yet resolved | Link | TrueNAS assessment: only exploitable by a privileged user |
haproxy (2.6.12-1) | HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | CVE-2023-45539 | High | False Positive | 23.10.1 | N/A False Positive | Link | TrueNAS assessment: system not affected, We have control over the rules that used in matches for HAProxy, and this CVE is only a problem if the rules are intended to match based on the suffix: haproxy: //github BUG/MINOR: h1: do not accept '#' as part of the URI component reported |
perl (5.36.0-7) | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | Low | 23.10.1 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
perl (5.36.0-7) | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | CVE-2023-31486 | High | Low | 23.10.1 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
perl (5.36.0-7) | In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. | CVE-2023-41700 | High | Low | 23.10.1 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
openssl (3.0.12-) | Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. | CVE-2023-5678 | Medium | Low | 23.10.1 | Not yet resolved | Link | [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user |
busybox 1:1.35.0-4+b3 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. | CVE-2019-5747 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | CVE-2018-1000500 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. | CVE-2018-1000517 | High | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. | CVE-2018-20679 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. | CVE-2017-16544 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. | CVE-2016-2147 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. | CVE-2016-2148 | High | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. | CVE-2016-6301 | High | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. | CVE-2015-9261 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. | CVE-2014-9645 | Low | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. | CVE-2013-1813 | High | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. | CVE-2011-2716 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. | CVE-2011-5325 | Medium | False Positive | 23.10.2 | Link | ||
busybox 1:1.35.0-4+b3 | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | Critical | False Positive | 23.10.2 | Link | ||
file 1:5.44-3 | Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. | CVE-2007-1536 | High | False Positive | 23.10.2 | Link | ||
git 1:2.39.2-1.1 | The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. | CVE-2022-25648 | High | False Positive | 23.10.2 | Link | ||
git 1:2.39.2-1.1 | Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. | CVE-2020-5260 | Medium | False Positive | 23.10.2 | Link | ||
github.com/go-git/go-git/v5 v5.9.0 | A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. | CVE-2023-49568 | High | False Positive | 23.10.2 | Link | ||
github.com/go-git/go-git/v5 v5.9.0 | A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. | CVE-2023-49569 | Critical | False Positive | 23.10.2 | Link | ||
github.com/opencontainers/runc v1.1.5 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE-2024-21626 | High | Medium | 23.10.2 | Dragonfish 24.10 | Link | Vulnerability is not exposed from base product. Exposure comes from installing a malicious app. Use care when choosing apps. |
github.com/rclone/rclone v1.63.0 | In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. | CVE-2018-12907 | Medium | Low | 23.10.2 | Not yet resolved | Link | |
golang.org/x/crypto v0.13.0 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | CVE-2023-48795 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/crypto v0.5.0 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | CVE-2023-48795 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/crypto v0.7.0 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | CVE-2023-48795 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.10.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.10.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.15.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.7.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 23.10.2 | Link | ||
golang.org/x/net v0.8.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | Low | 23.10.2 | Not yet resolved | Link | |
google.golang.org/grpc v1.40.0 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 | CVE-2023-32731 | High | False Positive | 23.10.2 | Link | ||
google.golang.org/grpc v1.40.0 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 | CVE-2023-32731 | High | False Positive | 23.10.2 | Link | ||
google.golang.org/grpc v1.40.0 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 | CVE-2023-32731 | High | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.1 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.28.1 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 23.10.2 | Link | ||
google.golang.org/protobuf v1.30.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 23.10.2 | Link | ||
haproxy 2.6.12-1 | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | CVE-2023-0056 | Medium | False Positive | 23.10.2 | Link | ||
haproxy 2.6.12-1 | HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. | CVE-2016-2102 | Medium | False Positive | 23.10.2 | Link | ||
haproxy 2.6.12-1 | HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. | CVE-2023-40225 | High | False Positive | 23.10.2 | Link | ||
haproxy 2.6.12-1 | HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | CVE-2023-45539 | High | False Positive | 23.10.2 | Link | ||
k8s.io/apiserver v0.27.2 | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | CVE-2020-8561 | Medium | False Positive | 23.10.2 | Link | ||
keepalived 1:2.2.7-1+b2 | In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property | CVE-2021-44225 | Medium | False Positive | 23.10.2 | Link | ||
keepalived 1:2.2.7-1+b2 | keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. | CVE-2018-19115 | High | False Positive | 23.10.2 | Link | keepalived not used in proxy mode. | |
openssl 3.0.11-1~deb12u3 | Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. | CVE-2023-5363 | High | False Positive | 23.10.2 | Link | ||
openssl 3.0.11-1~deb12u3 | Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. | CVE-2023-5678 | Medium | False Positive | 23.10.2 | Link | ||
openssl 3.0.11-1~deb12u3 | Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-0727 | Medium | False Positive | 23.10.2 | Link | ||
openssl 3.0.11-1~deb12u3 | Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. | CVE-2023-6129 | Medium | False Positive | 23.10.2 | Link | ||
perl 5.36.0-7 | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | CVE-2023-31486 | High | False Positive | 23.10.2 | Link | ||
perl 5.36.0-7 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | False Positive | 23.10.2 | Link | ||
perl 5.36.0-7 | In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. | CVE-2023-47100 | Critical | False Positive | 23.10.2 | Link | Perl not used with this regular expression. | |
busybox 1:1.35.0-4+b3 | The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. | CVE-2014-9645 | Low | False Positive | 24.04.0 | Link | busybox not used for add_probe internally. | |
busybox 1:1.35.0-4+b3 | util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. | CVE-2013-1813 | High | False Positive | 24.04.0 | Link | We don't use busybox for creating directories. | |
busybox 1:1.35.0-4+b3 | The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. | CVE-2011-2716 | Medium | False Positive | 24.04.0 | Link | busybox DHCP not used. | |
busybox 1:1.35.0-4+b3 | Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. | CVE-2011-5325 | Medium | False Positive | 24.04.0 | Link | We don't use busybox for tar. | |
busybox 1:1.35.0-4+b3 | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | Critical | False Positive | 24.04.0 | Link | We don't use busybox's ash. | |
file 1:5.44-3 | Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. | CVE-2007-1536 | High | False Positive | 24.04.0 | Link | We don't use file internally. | |
git 1:2.39.2-1.1 | The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. | CVE-2022-25648 | High | False Positive | 24.04.0 | Link | We don't use git fetch. | |
git 1:2.39.2-1.1 | Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. | CVE-2020-5260 | Medium | False Positive | 24.04.0 | Link | We don't use git with credential helpers as part of base system. | |
google.golang.org/protobuf v1.28.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 24.04.0 | Link | ||
google.golang.org/protobuf v1.28.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 24.04.0 | Link | Protobuf use is internal; no opportunity for authenticated attacker to reach internals. | |
google.golang.org/protobuf v1.30.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 24.04.0 | Link | ||
google.golang.org/protobuf v1.30.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 24.04.0 | Link | Protobuf use is internal; no opportunity for authenticated attacker to reach internals. | |
google.golang.org/protobuf v1.31.0 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | CVE-2021-22570 | Low | False Positive | 24.04.0 | Link | ||
google.golang.org/protobuf v1.31.0 | protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. | CVE-2015-5237 | Medium | False Positive | 24.04.0 | Link | Protobuf use is internal; no opportunity for authenticated attacker to reach internals. | |
keepalived 1:2.2.7-1+b2 | In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property | CVE-2021-44225 | Medium | False Positive | 24.04.0 | Link | ||
keepalived 1:2.2.7-1+b2 | keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. | CVE-2018-19115 | High | False Positive | 24.04.0 | Link | iX Analysis: We don't use keepalived in proxy mode, so this issue is irrelevant. | |
openssl 3.0.11-1~deb12u3 | Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. | CVE-2023-5363 | High | False Positive | 24.04.0 | Link | Changing IV size is not present in current codebase. | |
openssl 3.0.11-1~deb12u3 | Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. | CVE-2023-5678 | Medium | False Positive | 24.04.0 | Link | Openssl not used this way. | |
openssl 3.0.11-1~deb12u3 | Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. | CVE-2023-6129 | Medium | False Positive | 24.04.0 | Link | System not PowerPC based. | |
perl 5.36.0-7+deb12u1 | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | CVE-2023-31486 | High | False Positive | 24.04.0 | Link | HTTP::Tiny not used this way in codebase. | |
perl 5.36.0-7+deb12u1 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | False Positive | 24.04.0 | Link | CPAN not used internally. | |
perl 5.36.0-7+deb12u1 | In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. | CVE-2023-47100 | Critical | False Positive | 24.04.0 | Link | We don't use vulnerable regexp in perl. | |
github.com/go-git/go-git/v5 v5.9.0 | A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. | CVE-2023-49568 | High | False Positive | 24.04.0 | Link | artifact | |
github.com/go-git/go-git/v5 v5.9.0 | A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. | CVE-2023-49569 | Critical | False Positive | 24.04.0 | Link | ||
github.com/rclone/rclone v1.63.0 | In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. | CVE-2018-12907 | Medium | False Positive | 24.04.0 | Link | Opened NAS-127131 | |
golang.org/x/crypto v0.13.0 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | CVE-2023-48795 | Medium | False Positive | 24.04.0 | Link | We do not use Go-based ssh internally. | |
golang.org/x/crypto v0.7.0 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | CVE-2023-48795 | Medium | False Positive | 24.04.0 | Link | We do not use Go-based ssh internally. | |
golang.org/x/net v0.10.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 24.04.0 | Link | Not serving HTTP via go code. | |
golang.org/x/net v0.10.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 24.04.0 | Link | We don't generate HTML from this package. | |
golang.org/x/net v0.15.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 24.04.0 | Link | Not serving HTTP via go code. | |
golang.org/x/net v0.7.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 24.04.0 | Link | Not serving HTTP via go code. | |
golang.org/x/net v0.7.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 24.04.0 | Link | We don't generate HTML from this package. | |
golang.org/x/net v0.8.0 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | CVE-2023-39325 | High | False Positive | 24.04.0 | Link | Not serving HTTP via go code. | |
golang.org/x/net v0.8.0 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | CVE-2023-3978 | Medium | False Positive | 24.04.0 | Link | We don't generate HTML from this package. | |
google.golang.org/grpc v1.40.0 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 | CVE-2023-32731 | High | False Positive | 24.04.0 | Link | gRPC only used internally. | |
k8s.io/apiserver v0.29.0 | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | CVE-2020-8561 | Medium | False Positive | 24.04.0 | Link | Not used. | |
github.com/mholt/archiver/v3 v3.5.1 | A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. | CVE-2024-0406 | Unknown | False Positive | 24.04.0 | Link | archiver not used to unpack arbitrary files. | |
busybox 1:1.35.0-4+b3 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | Medium | False Positive | 24.04.0 | Link | We don't use busybox for netstat. | |
busybox 1:1.35.0-4+b3 | An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. | CVE-2019-5747 | Medium | False Positive | 24.04.0 | Link | We don't use busybox DHCP | |
busybox 1:1.35.0-4+b3 | Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | CVE-2018-1000500 | Medium | False Positive | 24.04.0 | Link | We don't use busybox wget | |
busybox 1:1.35.0-4+b3 | BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. | CVE-2018-1000517 | High | False Positive | 24.04.0 | Link | We don't use busybox's wget | |
busybox 1:1.35.0-4+b3 | An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. | CVE-2018-20679 | Medium | False Positive | 24.04.0 | Link | We don't use busybox dhcp | |
busybox 1:1.35.0-4+b3 | In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. | CVE-2017-16544 | Medium | False Positive | 24.04.0 | Link | We don't use busybox shell. | |
busybox 1:1.35.0-4+b3 | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. | CVE-2016-2147 | Medium | False Positive | 24.04.0 | Link | We don't use busybox DHCP. | |
busybox 1:1.35.0-4+b3 | Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. | CVE-2016-2148 | High | False Positive | 24.04.0 | Link | We don't use busybox DHCP | |
busybox 1:1.35.0-4+b3 | The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. | CVE-2016-6301 | High | False Positive | 24.04.0 | Link | We don't use busybox NTP | |
busybox 1:1.35.0-4+b3 | huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. | CVE-2015-9261 | Medium | False Positive | 24.04.0 | Link | busybox not used for unzip. | |
github.com/opencontainers/runc v1.1.5 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE-2024-21626 | High | Medium | 24.04.2 | Link | Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. | |
github.com/opencontainers/runc v1.1.5 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE-2024-21626 | High | Medium | 24.04.0 | Link | Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. | |
github.com/opencontainers/runc v1.1.6 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE-2024-21626 | High | Medium | 24.04.0 | Link | Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. | |
openssl 3.0.11-1~deb12u3 | Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-0727 | Medium | False Positive | 24.04.0 | Link | We don't process arbitrary PKCS11 files. | |
google.golang.org/protobuf v1.31.0 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | CVE-2024-24786 | Unknown | False Positive | 24.04.0 | Link | protojson.Unmarshall not used to process such invalid JSON. | |
google.golang.org/protobuf v1.28.0 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | CVE-2024-24786 | Unknown | False Positive | 24.04.0 | Link | protojson.Unmarshall not used to process such invalid JSON. | |
google.golang.org/protobuf v1.30.0 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | CVE-2024-24786 | Unknown | False Positive | 24.04.0 | Link | protojson.Unmarshall not used to process such invalid JSON. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. | CVE-2022-36648 | Critical | False Positive | 24.10.0 | Link | QEMU guests are outside of security scope. Never run untrusted VMs or applications on your TrueNAS. | |
busybox 1:1.35.0-4+b3 | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | Critical | False Positive | 24.10.0 | Link | TrueNAS does not make use of busybox in a way that can be reached by this exploit. | |
zlib1g 1:1.2.13.dfsg-1 | MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. | CVE-2023-45853 | Critical | False Positive | 24.10.0 | Link | TrueNAS doesn't use MiniZip in an exploitable way. | |
stdlib go1.21.6 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | CVE-2024-24790 | Critical | False Positive | 24.10.0 | Link | TrueNAS doesn't use Go's stdlib for IPv6 IP address checks. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. | CVE-2024-32002 | Critical | False Positive | 24.10.0 | Link | TrueNAS doesn't use git internally in an exploitable way for this vulnerability. | |
krb5-user 1.20.1-2+deb12u1 | In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. | CVE-2024-37371 | Critical | False Positive | 24.10.0 | Link | TrueNAS isn't acting as a kerberos server. | |
libarchive13 3.6.2-1+deb12u1 | Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c. | CVE-2024-37407 | Critical | False Positive | 24.10.0 | Link | libarchive is not used on untrusted files. | |
wget 1.21.3-1+b2 | url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. | CVE-2024-38428 | Critical | False Positive | 24.10.0 | Link | wget is not used on untrusted URLs. | |
keepalived 1:2.2.7-1+b2 | In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived through 2.3.1, an integer overflow can occur. NOTE: this CVE Record might not be worthwhile because an empty ipset name must be configured by the user. | CVE-2024-41184 | Critical | False Positive | 24.10.0 | Link | TrueNAS is not configured in mode needed for this exploit. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | CVE-2024-45491 | Critical | False Positive | 24.10.0 | Link | Not a 32-bit platform. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | CVE-2024-45492 | Critical | False Positive | 24.10.0 | Link | Not a 32-bit platform. | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. | CVE-2024-5535 | Critical | False Positive | 24.10.0 | Link | TrueNAS doesn't use NPN. FIPS is not affected. | |
libnss3 2:3.87.1-1 | A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. | CVE-2024-6602 | Critical | False Positive | 24.10.0 | Link | Firefox and Thunderbird not present. | |
gitpython 3.1.30 | GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments | GHSA-pr76-5cm5-w9cj | Critical | False Positive | 24.10.0 | Link | TrueNAS doesn't use GitPython with untrusted git repos. | |
github.com/docker/docker v27.0.3+incompatible | Authz zero length regression | GHSA-v23v-6jw2-98fq | Critical | False Positive | 24.10.0 | Link | Do not run untrusted applications on your TrueNAS system. | |
python3-dnspython 2.3.0-1 | The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." | CVE-2008-1447 | High | False Positive | 24.10.0 | Link | TrueNAS does not use dnspython for resolution. | |
libopenjp2-7 2.5.0-2 | A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. | CVE-2021-3575 | High | False Positive | 24.10.0 | Link | TrueNAS does not use libopenjp for processing untrusted images. | |
busybox 1:1.35.0-4+b3 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | High | False Positive | 24.10.0 | Link | TrueNAS does not use BusyBox to run netstat. | |
firmware-amd-graphics 20240709-2~bpo12+1 | Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. | CVE-2022-38076 | High | False Positive | 24.10.0 | Link | WiFi firmware not used in TrueNAS. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | CVE-2022-3872 | High | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
libgfapi0 10.3-5 | In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. | CVE-2022-48340 | High | False Positive | 24.10.0 | Link | Gluster FS not used internally. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. | CVE-2023-1386 | High | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
libharfbuzz0b 6.0.0+dfsg-3 | hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. | CVE-2023-25193 | High | False Positive | 24.10.0 | Link | TrueNAS is not using harfbuzz to display attacker chosen strings. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. | CVE-2023-25652 | High | False Positive | 24.10.0 | Link | TrueNAS doesn't run git apply internally. | |
vim-common 2:9.0.1378-2 | Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. | CVE-2023-2610 | High | False Positive | 24.10.0 | Link | ||
dnsmasq-base 2.89-1 | An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. | CVE-2023-28450 | High | False Positive | 24.10.0 | Link | dnsmasq is not used in a vulnerable way. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. | CVE-2023-29007 | High | False Positive | 24.10.0 | Link | TrueNAS does not use git on untrusted repos. | |
python3-dnspython 2.3.0-1 | eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. | CVE-2023-29483 | High | False Positive | 24.10.0 | Link | TrueNAS does not use dnspython for arbitrary DNS resolution | |
libldap-2.5-0 2.5.13+dfsg-5 | A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. | CVE-2023-2953 | High | Low | 24.10.0 | Link | iX considers risk to be low. There are no known exploits of this null pointer bug. | |
dmidecode 3.4-1 | Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. | CVE-2023-30630 | High | False Positive | 24.10.0 | Link | dmidecode is not used in a vulnerable way. | |
amd64-microcode 3.20230808.1.1~deb12u1 | Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. | CVE-2023-31315 | High | False Positive | 24.10.0 | Link | No untrusted code with ring0 access. | |
libperl5.36 5.36.0-7+deb12u1 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | High | False Positive | 24.10.0 | Link | CPAN is not used in a vulnerable way. | |
sysstat 12.6.1-1 | sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. | CVE-2023-33204 | High | False Positive | 24.10.0 | Link | sysstat is not used in a vulnerable way. | |
truenas-sssd 2.9.5-2 | A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. | CVE-2023-3758 | High | False Positive | 24.10.0 | Link | Race condition that requires non-default configuration. | |
busybox 1:1.35.0-4+b3 | An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | CVE-2023-39810 | High | False Positive | 24.10.0 | Link | Busybox not used for CPIO | |
shim-unsigned 15.7-1 | A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. | CVE-2023-40547 | High | False Positive | 24.10.0 | Link | Shim not used for http-based booting. | |
shim-unsigned 15.7-1 | A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. | CVE-2023-40548 | High | False Positive | 24.10.0 | Link | 32-bit platform. | |
sudo 1.9.13p3-1+deb12u1 | Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. | CVE-2023-42465 | High | Low | 24.10.0 | Link | Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS. | |
intel-microcode 3.20240514.1~deb12u1 | Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. | CVE-2023-42667 | High | Low | 24.10.0 | Link | Exploit requires local authenticated access and specific Intel CPU | |
python3-urllib3 1.26.12-1 | urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. | CVE-2023-43804 | High | False Positive | 24.10.0 | Link | Cookies aren't used in the vulenrable fashion in TrueNAS. | |
nginx 1.22.1-9 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | CVE-2023-44487 | High | Low | 24.10.0 | Link | Do not expost your TrueNAS HTTP ports to the internet. | |
ovmf 2022.11-6+deb12u1 | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | CVE-2023-45236 | High | False Positive | 24.10.0 | Link | VM exploit: Do not run untrusted VMs on your TrueNAS. | |
ovmf 2022.11-6+deb12u1 | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | CVE-2023-45237 | High | False Positive | 24.10.0 | Link | VM exploit: Do not run untrusted VMs on your TrueNAS. | |
stdlib go1.21.6 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. | CVE-2023-45288 | High | False Positive | 24.10.0 | Link | Go's stdlib not used for serving HTTP. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. | CVE-2023-4738 | High | False Positive | 24.10.0 | Link | ||
vim-common 2:9.0.1378-2 | Use After Free in GitHub repository vim/vim prior to 9.0.1858. | CVE-2023-4752 | High | False Positive | 24.10.0 | Link | ||
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. | CVE-2023-4781 | High | False Positive | 24.10.0 | Link | ||
python3-cryptography 38.0.4-3 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. | CVE-2023-49083 | High | False Positive | 24.10.0 | Link | PKCS7 not used internally. | |
dnsmasq-base 2.89-1 | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. | CVE-2023-50387 | High | False Positive | 24.10.0 | Link | dnsmasq not used in a way that this exploit can reach. | |
python3-cryptography 38.0.4-3 | A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. | CVE-2023-50782 | High | False Positive | 24.10.0 | Link | Not serving TLS via this code. | |
p7zip 16.02+dfsg-8 | The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. | CVE-2023-52168 | High | False Positive | 24.10.0 | Link | p7zip not used internally. | |
libtiff6 4.5.0-6+deb12u1 | An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. | CVE-2023-52355 | High | False Positive | 24.10.0 | Link | libtiff not used internally. | |
libtiff6 4.5.0-6+deb12u1 | A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. | CVE-2023-52356 | High | False Positive | 24.10.0 | Link | libtiff not used internally. | |
libexpat1 2.5.0-1 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | CVE-2023-52425 | High | False Positive | 24.10.0 | Link | Unreachable denial of service. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. | CVE-2023-5344 | High | False Positive | 24.10.0 | Link | ||
libsqlite3-0 3.40.1-2 | A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. | CVE-2023-7104 | High | False Positive | 24.10.0 | Link | Untrusted code cannot reach sqlite calls. | |
libpython3.11 3.11.2-6+deb12u2 | A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. | CVE-2024-0397 | High | Low | 24.10.0 | Link | No exploits known beyond denial of service. | |
libnss3 2:3.87.1-1 | An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. | CVE-2024-0743 | High | False Positive | 24.10.0 | Link | Firefox and Thunderbird not included in TrueNAS. | |
bind9-dnsutils 1:9.18.24-1 | A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-0760 | High | False Positive | 24.10.0 | Link | TrueNAS is not serving DNS. | |
bind9-dnsutils 1:9.18.24-1 | Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-1737 | High | False Positive | 24.10.0 | Link | TrueNAS is not using bind9 for cachinng results. | |
bind9-dnsutils 1:9.18.24-1 | If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-1975 | High | False Positive | 24.10.0 | Link | TrueNAS is not using bind9 to cache results. | |
vim-common 2:9.0.1378-2 | Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. | CVE-2024-22667 | High | False Positive | 24.10.0 | Link | ||
curl 7.88.1-10+deb12u5 | When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. | CVE-2024-2398 | High | False Positive | 24.10.0 | Link | TrueNAS does not use libcurl in a vulnerable way. | |
stdlib go1.21.6 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | CVE-2024-24784 | High | False Positive | 24.10.0 | Link | TrueNAS does not use ParseAddressList | |
stdlib go1.21.6 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. | CVE-2024-24791 | High | False Positive | 24.10.0 | Link | TrueNAS is not using net/http client. | |
intel-microcode 3.20240514.1~deb12u1 | Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-24853 | High | False Positive | 24.10.0 | Link | Requires local privileged access. | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. | CVE-2024-25062 | High | False Positive | 24.10.0 | Link | TrueNAS is not processing XML from attackers. | |
python3-cryptography 38.0.4-3 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. | CVE-2024-26130 | High | False Positive | 24.10.0 | Link | TrueNAS does not use cryptography package in a vulnerable way. | |
krb5-user 1.20.1-2+deb12u1 | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. | CVE-2024-26461 | High | Low | 24.10.0 | Link | Potential memory leak; no security implications | |
python3-truenas-ipaclient 4.12.1-2 | A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule. | CVE-2024-2698 | High | False Positive | 24.10.0 | Link | This only applies to FreeIPA servers. TrueNAS acts only as a client. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. | CVE-2024-31143 | High | False Positive | 24.10.0 | Link | Don't run untrusted guests. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. | CVE-2024-31145 | High | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. | CVE-2024-31146 | High | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
python3-truenas-ipaclient 4.12.1-2 | A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password). | CVE-2024-3183 | High | False Positive | 24.10.0 | Link | ||
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. | CVE-2024-32004 | High | False Positive | 24.10.0 | Link | Git not used with untrusted repositories. | |
git 1:2.39.2-1.1 | Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. | CVE-2024-32465 | High | False Positive | 24.10.0 | Link | Git not used with untrusted repos. | |
libunbound8 1.17.1-2+deb12u2 | The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. | CVE-2024-33655 | High | False Positive | 24.10.0 | Link | DNS resolution not used in vulnerable fashion. | |
stdlib go1.21.12 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | CVE-2024-34156 | High | False Positive | 24.10.0 | Link | Decode not used. | |
stdlib go1.21.12 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | CVE-2024-34158 | High | False Positive | 24.10.0 | Link | Build time issue. | |
krb5-user 1.20.1-2+deb12u1 | In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. | CVE-2024-37370 | High | Low | 24.10.0 | Link | No proof-of-concepts exist at this time. | |
libpython3.11 3.11.2-6+deb12u2 | The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. | CVE-2024-4032 | High | False Positive | 24.10.0 | Link | Address typing not relied upon for security issues. | |
bind9-dnsutils 1:9.18.24-1 | Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-4076 | High | False Positive | 24.10.0 | Link | Assertion failure won't cause system issue. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. | CVE-2024-4467 | High | False Positive | 24.10.0 | Link | Don't use untrusted QEMU images. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | CVE-2024-45490 | High | False Positive | 24.10.0 | Link | TrueNAS doesn't use libexpat on untrusted XML. | |
liboath0 2.6.7-3.1 | pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. | CVE-2024-47191 | High | False Positive | 24.10.0 | Link | TrueNAS does not use vulnerable PAM config required for this vulnerability. | |
libarchive13 3.6.2-1+deb12u1 | execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. | CVE-2024-48957 | High | False Positive | 24.10.0 | Link | libarchive not used for audio. | |
libarchive13 3.6.2-1+deb12u1 | execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. | CVE-2024-48958 | High | False Positive | 24.10.0 | Link | libarchive not used for RAR | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-6119 | High | False Positive | 24.10.0 | Link | libssl not used for TLS client certificate checking | |
libpython3.11 3.11.2-6+deb12u2 | There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. | CVE-2024-6232 | High | False Positive | 24.10.0 | Link | libpython not used with regular expressions in tar file processing. | |
python3-pkg-resources 66.1.1-1 | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. | CVE-2024-6345 | High | False Positive | 24.10.0 | Link | setuptools not used at runtime | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | CVE-2024-6519 | High | False Positive | 24.10.0 | Link | QEMU not used for LSI HBA emulation. | ||
libnss3 2:3.87.1-1 | When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. | CVE-2024-6609 | High | False Positive | 24.10.0 | Link | Firefox and Thunderbird not available on system. | |
libgtk-3-0 3.24.38-2~deb12u1 | A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. | CVE-2024-6655 | High | False Positive | 24.10.0 | Link | GTK applications not reachable from TrueNAS internals. | |
libtiff6 4.5.0-6+deb12u1 | A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. | CVE-2024-7006 | High | False Positive | 24.10.0 | Link | libtiff not exposed to forced memory failures | |
libnbd0 1.14.2-1 | A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. | CVE-2024-7383 | High | False Positive | 24.10.0 | Link | libnbd not used in vulnerable fashion | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. | CVE-2024-7409 | High | False Positive | 24.10.0 | Link | qemu not used in vulnerable fashion | |
libpython3.11 3.11.2-6+deb12u2 | There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. | CVE-2024-7592 | High | False Positive | 24.10.0 | Link | CPython not used in vulnerable fashion. | |
gitpython 3.1.30 | Untrusted search path under some conditions on Windows allows arbitrary code execution | GHSA-2mqj-m65w-jghx | High | False Positive | 24.10.0 | Link | Windows vulnerability. | |
pillow 9.4.0 | Arbitrary Code Execution in Pillow | GHSA-3f63-hfp8-52jq | High | False Positive | 24.10.0 | Link | Pillow code not reachable for arbitrary images. | |
cryptography 38.0.4 | Python Cryptography package vulnerable to Bleichenbacher timing oracle attack | GHSA-3ww4-gg4f-jr7f | High | False Positive | 24.10.0 | Link | Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys. | |
pillow 9.4.0 | Bundled libwebp in Pillow vulnerable | GHSA-56pw-mpj4-fxww | High | False Positive | 24.10.0 | Link | Pollow code not reachable for untrusted images. | |
aiohttp 3.8.5 | aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests | GHSA-5m98-qgg9-wh84 | High | False Positive | 24.10.0 | Link | aiohttp not used for arbitrary POST requesrts. | |
cryptography 38.0.4 | cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override | GHSA-6vqw-3v5j-54x4 | High | False Positive | 24.10.0 | Link | cryptography not called with unmatching certs and keys. | |
pillow 9.4.0 | Pillow Denial of Service vulnerability | GHSA-8ghj-p4vj-mr35 | High | False Positive | 24.10.0 | Link | Pillow not used for arbitrary image processing. | |
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 | otelgrpc DoS vulnerability due to unbound cardinality metrics | GHSA-8pgv-569h-w5rw | High | False Positive | 24.10.0 | Link | DoS not reachable in TrueNAS code. | |
asyncssh 2.13.2 | AsyncSSH Rogue Session Attack | GHSA-c35q-ffpf-5qpm | High | False Positive | 24.10.0 | Link | asyncssh not used in vulnerable fashion | |
setuptools 66.1.1 | setuptools vulnerable to Command Injection via package URL | GHSA-cx63-2mw6-8hw5 | High | False Positive | 24.10.0 | Link | setuptools not used for untrusted packages. | |
pycryptodomex 3.11.0 | PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption | GHSA-j225-cvw7-qrx7 | High | False Positive | 24.10.0 | Link | OAEP decrytption not used internally in TrueNAS. | |
pillow 9.4.0 | libwebp: OOB write in BuildHuffmanTable | GHSA-j7hp-h8jx-5ppr | High | False Positive | 24.10.0 | Link | Pillow not used for untrusted image processing. | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability in the command line interface | GHSA-jrwr-5x3p-hvc3 | High | False Positive | 24.10.0 | Link | markdown not used in vulnerable fashion. | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability | GHSA-vrjv-mxr7-vjf8 | High | False Positive | 24.10.0 | Link | markdown not used in vulnerable fashion. | |
gitpython 3.1.30 | GitPython untrusted search path on Windows systems leading to arbitrary code execution | GHSA-wfm5-v35h-vwf4 | High | False Positive | 24.10.0 | Link | Windows vulnerability. | |
cryptography 38.0.4 | Vulnerable OpenSSL included in cryptography wheels | GHSA-x4qr-2fvf-3mr5 | High | False Positive | 24.10.0 | Link | Not building from from supplied wheels. | |
certifi 2022.9.24 | Removal of e-Tugra root certificate | GHSA-xqr8-7jwr-rhp7 | High | False Positive | 24.10.0 | Link | External certificate issue. | |
stdlib go1.21.6 | When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. | CVE-2023-45289 | Unknown | False Positive | 24.10.0 | Link | Product does not follow HTTP redirects. | |
stdlib go1.21.6 | When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. | CVE-2023-45290 | Unknown | False Positive | 24.10.0 | Link | Go stdlib not used for form processing. | |
libncurses6 6.4-4 | ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. | CVE-2023-45918 | Unknown | False Positive | 24.10.0 | Link | ncurses not used for basic operations. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. | CVE-2023-46841 | Unknown | False Positive | 24.10.0 | Link | Don't run untrusted guests. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. | CVE-2023-46842 | Unknown | False Positive | 24.10.0 | Link | Don't run untrusted guests. | |
dnsmasq-base 2.89-1 | The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. | CVE-2023-50868 | Unknown | False Positive | 24.10.0 | Link | dnsmasq not used for DNSSEC in TrueNAS | |
libnss3 2:3.87.1-1 | NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. | CVE-2023-5388 | Unknown | False Positive | 24.10.0 | Link | Firefox and Thunderbird not available in TrueNAS. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. | CVE-2024-2193 | Unknown | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | CVE-2024-2201 | Unknown | False Positive | 24.10.0 | Link | DO not run untrusted guest VMs. | ||
stdlib go1.21.6 | Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. | CVE-2024-24783 | Unknown | False Positive | 24.10.0 | Link | Go stdlib not used for certificate verification. | |
stdlib go1.21.6 | If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. | CVE-2024-24785 | Unknown | False Positive | 24.10.0 | Link | go stdlib not used to parse untrusted JSON | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. | CVE-2024-2511 | Unknown | False Positive | 24.10.0 | Link | Requires non-default TLS server config. | |
iperf3 3.12-1+deb12u1 | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. | CVE-2024-26306 | Unknown | False Positive | 24.10.0 | Link | iperf3 server not used. | |
krb5-user 1.20.1-2+deb12u1 | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. | CVE-2024-26458 | Unknown | False Positive | 24.10.0 | Link | Memory leak | |
krb5-user 1.20.1-2+deb12u1 | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. | CVE-2024-26462 | Unknown | False Positive | 24.10.0 | Link | Memory leak. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html | CVE-2024-31142 | Unknown | False Positive | 24.10.0 | Link | Do not run untrusted guest VMs. | |
libclang-cpp14 1:14.0.6-12 | LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production." | CVE-2024-31852 | Unknown | False Positive | 24.10.0 | Link | ARM cpu only. | |
stdlib go1.21.12 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | CVE-2024-34155 | Unknown | False Positive | 24.10.0 | Link | Build-time problem only. | |
libopenipmi0 2.0.33-1+b1 | OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution. | CVE-2024-42934 | Unknown | False Positive | 24.10.0 | Link | Simulator not used. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. | CVE-2024-45817 | Unknown | False Positive | 24.10.0 | Link | Do not run untrusted VM guests in TrueNAS. | |
libssl3 3.0.13-1~deb12u2 | CVE-2024-4741 | Unknown | False Positive | 24.10.0 | Link | Vulnerable code not used in TrueNAS | ||
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | CVE-2024-7730 | Unknown | False Positive | 24.10.0 | Link | Do not run untrusted VM guests. | ||
libpython3.11 3.11.2-6+deb12u2 | There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. | CVE-2024-8088 | Unknown | False Positive | 24.10.0 | Link | zipfile code not used to parse untrusted zip files. | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-9143 | Unknown | False Positive | 24.10.0 | Link | libssl not used for explicit EC curves. | |
busybox 1:1.35.0-4+b3 | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | critical | False Positive | 24.10.2 | Link | TrueNAS does not make use of busybox in a way that can be reached by this exploit. | |
zlib1g 1:1.2.13.dfsg-1 | MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. | CVE-2023-45853 | critical | False Positive | 24.10.2 | Link | TrueNAS doesn't use MiniZip in an exploitable way. | |
rsync 3.2.7-1 | A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. | CVE-2024-12084 | critical | False Positive | 24.10.2 | Link | rsync is not used in daemon mode within TrueNAS SCALE. | |
stdlib go1.21.6 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | CVE-2024-24790 | critical | False Positive | 24.10.2 | Link | TrueNAS doesn't use Go's stdlib for IPv6 IP address checks. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. | CVE-2024-32002 | critical | False Positive | 24.10.2 | Link | TrueNAS doesn't use git internally in an exploitable way for this vulnerability. | |
krb5-user 1.20.1-2+deb12u1 | In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. | CVE-2024-37371 | critical | False Positive | 24.10.2 | Link | TrueNAS isn't acting as a kerberos server. | |
wget 1.21.3-1+b2 | url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. | CVE-2024-38428 | critical | False Positive | 24.10.2 | Link | wget is not used on untrusted URLs. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | CVE-2024-45491 | critical | False Positive | 24.10.2 | Link | Not a 32-bit platform. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | CVE-2024-45492 | critical | False Positive | 24.10.2 | Link | Not a 32-bit platform. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. | CVE-2024-47538 | critical | False Positive | 24.10.2 | Link | Qemu dependency. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10. | CVE-2024-47600 | critical | False Positive | 24.10.2 | Link | Qemu dependency. | |
libgstreamer1.0-0 1.22.0-2 | GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. | CVE-2024-47606 | critical | False Positive | 24.10.2 | Link | Qemu dependency. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10. | CVE-2024-47607 | critical | False Positive | 24.10.2 | Link | Qemu dependency. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. | CVE-2024-47615 | critical | False Positive | 24.10.2 | Link | Qemu dependency. | |
libglib2.0-0 2.74.6-2+deb12u3 | gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. | CVE-2024-52533 | critical | False Positive | 24.10.2 | Link | SOCKS4 not being used. | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. | CVE-2024-5535 | critical | False Positive | 24.10.2 | Link | TrueNAS doesn't use NPN. FIPS is not affected. | |
libnss3 2:3.87.1-1 | A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. | CVE-2024-6602 | critical | False Positive | 24.10.2 | Link | Firefox and Thunderbird not present. | |
pillow 9.4.0 | Arbitrary Code Execution in Pillow | GHSA-3f63-hfp8-52jq | critical | False Positive | 24.10.2 | Link | Pillow code not reachable for arbitrary images. | |
gitpython 3.1.30 | GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments | GHSA-pr76-5cm5-w9cj | critical | False Positive | 24.10.2 | Link | TrueNAS doesn't use GitPython with untrusted git repos. | |
github.com/docker/docker v27.0.3+incompatible | Authz zero length regression | GHSA-v23v-6jw2-98fq | critical | False Positive | 24.10.2 | Link | Do not run untrusted applications on your TrueNAS system. | |
golang.org/x/crypto v0.17.0 | Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | GHSA-v778-237x-gjrc | critical | False Positive | 24.10.2 | Link | Functions not in use. | |
python3-rsa 4.8-1 | It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. | CVE-2020-25658 | high | False Positive | 24.10.2 | Link | Python-rsa not in use. | |
libopenjp2-7 2.5.0-2 | A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. | CVE-2021-3575 | high | False Positive | 24.10.2 | Link | TrueNAS does not use libopenjp for processing untrusted images. | |
firmware-amd-graphics 20240709-2~bpo12+1 | Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2022-27635 | high | False Positive | 24.10.2 | Link | Wifi not used. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | CVE-2022-3872 | high | False Positive | 24.10.2 | Link | Do not run untrusted guest VMs. | |
firmware-amd-graphics 20240709-2~bpo12+1 | Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2022-40964 | high | False Positive | 24.10.2 | Link | Wifi not used. | |
firmware-amd-graphics 20240709-2~bpo12+1 | Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2022-46329 | high | False Positive | 24.10.2 | Link | Wifi not used. | |
libgfapi0 10.3-5 | In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. | CVE-2022-48340 | high | False Positive | 24.10.2 | Link | Gluster FS not used internally. | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. | CVE-2022-49043 | high | False Positive | 24.10.2 | Link | Qemu dependency. | |
libharfbuzz0b 6.0.0+dfsg-3 | hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. | CVE-2023-25193 | high | False Positive | 24.10.2 | Link | TrueNAS is not using harfbuzz to display attacker chosen strings. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. | CVE-2023-25652 | high | False Positive | 24.10.2 | Link | TrueNAS doesn't run git apply internally. | |
vim-common 2:9.0.1378-2 | Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. | CVE-2023-2610 | high | False Positive | 24.10.2 | Link | Only vulnerable if untrusted file is run in script mode. | |
dnsmasq-base 2.89-1 | An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. | CVE-2023-28450 | high | False Positive | 24.10.2 | Link | dnsmasq is not used in a vulnerable way. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. | CVE-2023-29007 | high | False Positive | 24.10.2 | Link | TrueNAS does not use git on untrusted repos. | |
python3-dnspython 2.3.0-1 | eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. | CVE-2023-29483 | high | False Positive | 24.10.2 | Link | TrueNAS does not use dnspython for arbitrary DNS resolution | |
libldap-2.5-0 2.5.13+dfsg-5 | A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. | CVE-2023-2953 | high | Low | 24.10.2 | Link | iX considers risk to be low. There are no known exploits of this null pointer bug. | |
amd64-microcode 3.20230808.1.1~deb12u1 | Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. | CVE-2023-31315 | high | False Positive | 24.10.2 | Link | No untrusted code with ring0 access. | |
libperl5.36 5.36.0-7+deb12u1 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | high | False Positive | 24.10.2 | Link | CPAN is not used in a vulnerable way. | |
sysstat 12.6.1-1 | sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. | CVE-2023-33204 | high | False Positive | 24.10.2 | Link | sysstat is not used in a vulnerable way. | |
truenas-sssd 2.9.5-2 | A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. | CVE-2023-3758 | high | False Positive | 24.10.2 | Link | Race condition that requires non-default configuration. | |
busybox 1:1.35.0-4+b3 | An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | CVE-2023-39810 | high | False Positive | 24.10.2 | Link | Busybox not used for CPIO | |
shim-unsigned 15.7-1 | A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. | CVE-2023-40547 | high | False Positive | 24.10.2 | Link | Shim not used for http-based booting. | |
shim-unsigned 15.7-1 | A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. | CVE-2023-40548 | high | False Positive | 24.10.2 | Link | 32-bit platform. | |
sudo 1.9.13p3-1+deb12u1 | Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. | CVE-2023-42465 | high | Low | 24.10.2 | Link | Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS. | |
intel-microcode 3.20240514.1~deb12u1 | Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. | CVE-2023-42667 | high | Low | 24.10.2 | Link | Exploit requires local authenticated access and specific Intel CPU | |
nginx 1.22.1-9 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | CVE-2023-44487 | high | Low | 24.10.2 | Link | Do not expost your TrueNAS HTTP ports to the internet. | |
stdlib go1.21.6 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. | CVE-2023-45288 | high | False Positive | 24.10.2 | Link | Go's stdlib not used for serving HTTP. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. | CVE-2023-4738 | high | False Positive | 24.10.2 | Link | Requires obscure vim use. No known exploit. | |
vim-common 2:9.0.1378-2 | Use After Free in GitHub repository vim/vim prior to 9.0.1858. | CVE-2023-4752 | high | False Positive | 24.10.2 | Link | Requires vim use; no escalation | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. | CVE-2023-4781 | high | False Positive | 24.10.2 | Link | Requires vim use; no escalation | |
dnsmasq-base 2.89-1 | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. | CVE-2023-50387 | high | False Positive | 24.10.2 | Link | dnsmasq not used in a way that this exploit can reach. | |
python3-cryptography 38.0.4-3 | A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. | CVE-2023-50782 | high | False Positive | 24.10.2 | Link | Not serving TLS via this code. | |
p7zip 16.02+dfsg-8 | The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. | CVE-2023-52168 | high | False Positive | 24.10.2 | Link | p7zip not used internally. | |
libtiff6 4.5.0-6+deb12u1 | An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. | CVE-2023-52355 | high | False Positive | 24.10.2 | Link | libtiff not used internally. | |
libtiff6 4.5.0-6+deb12u1 | A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. | CVE-2023-52356 | high | False Positive | 24.10.2 | Link | libtiff not used internally. | |
libexpat1 2.5.0-1 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | CVE-2023-52425 | high | False Positive | 24.10.2 | Link | Unreachable denial of service. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. | CVE-2023-5344 | high | False Positive | 24.10.2 | Link | Requires vim use; no escalation | |
libnss3 2:3.87.1-1 | An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. | CVE-2024-0743 | high | False Positive | 24.10.2 | Link | Firefox and Thunderbird not included in TrueNAS. | |
bind9-dnsutils 1:9.18.24-1 | A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-0760 | high | False Positive | 24.10.2 | Link | TrueNAS is not serving DNS. | |
rsync 3.2.7-1 | A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. | CVE-2024-12085 | high | False Positive | 24.10.2 | Link | Rsync not used in daemon mode. | |
bind9-dnsutils 1:9.18.24-1 | Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-1737 | high | False Positive | 24.10.2 | Link | TrueNAS is not using bind9 for cachinng results. | |
bind9-dnsutils 1:9.18.24-1 | If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-1975 | high | False Positive | 24.10.2 | Link | TrueNAS is not using bind9 to cache results. | |
libarchive13 3.6.2-1+deb12u1 | Windows libarchive Remote Code Execution Vulnerability | CVE-2024-20696 | high | False Positive | 24.10.2 | Link | No windows involvement. | |
intel-microcode 3.20240514.1~deb12u1 | Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-21820 | high | False Positive | 24.10.2 | Link | Requires privileged access. | |
vim-common 2:9.0.1378-2 | Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. | CVE-2024-22667 | high | False Positive | 24.10.2 | Link | Requires vim use; no escalation | |
intel-microcode 3.20240514.1~deb12u1 | Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-23918 | high | False Positive | 24.10.2 | Link | Requires privileged access. | |
curl 7.88.1-10+deb12u5 | When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. | CVE-2024-2398 | high | False Positive | 24.10.2 | Link | TrueNAS does not use libcurl in a vulnerable way. | |
stdlib go1.21.6 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | CVE-2024-24784 | high | False Positive | 24.10.2 | Link | TrueNAS does not use ParseAddressList | |
stdlib go1.21.6 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. | CVE-2024-24791 | high | False Positive | 24.10.2 | Link | TrueNAS is not using net/http client. | |
intel-microcode 3.20240514.1~deb12u1 | Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-24853 | high | False Positive | 24.10.2 | Link | Requires local privileged access. | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. | CVE-2024-25062 | high | False Positive | 24.10.2 | Link | TrueNAS is not processing XML from attackers. | |
python3-cryptography 38.0.4-3 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. | CVE-2024-26130 | high | False Positive | 24.10.2 | Link | TrueNAS does not use cryptography package in a vulnerable way. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. | CVE-2024-31143 | high | False Positive | 24.10.2 | Link | Don't run untrusted guests. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. | CVE-2024-31145 | high | False Positive | 24.10.2 | Link | Do not run untrusted guest VMs. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. | CVE-2024-31146 | high | False Positive | 24.10.2 | Link | Do not run untrusted guest VMs. | |
git 1:2.39.2-1.1 | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. | CVE-2024-32004 | high | False Positive | 24.10.2 | Link | Git not used with untrusted repositories. | |
git 1:2.39.2-1.1 | Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. | CVE-2024-32465 | high | False Positive | 24.10.2 | Link | Git not used with untrusted repos. | |
libunbound8 1.17.1-2+deb12u2 | The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. | CVE-2024-33655 | high | False Positive | 24.10.2 | Link | DNS resolution not used in vulnerable fashion. | |
stdlib go1.21.12 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | CVE-2024-34156 | high | False Positive | 24.10.2 | Link | Decode not used. | |
stdlib go1.21.12 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | CVE-2024-34158 | high | False Positive | 24.10.2 | Link | Build time issue. | |
krb5-user 1.20.1-2+deb12u1 | In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. | CVE-2024-37370 | high | Low | 24.10.2 | Link | No proof-of-concepts exist at this time. | |
bind9-dnsutils 1:9.18.24-1 | Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. | CVE-2024-4076 | high | False Positive | 24.10.2 | Link | Assertion failure won't cause system issue. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. | CVE-2024-4467 | high | False Positive | 24.10.2 | Link | Don't use untrusted QEMU images. | |
libexpat1 2.5.0-1 | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | CVE-2024-45490 | high | False Positive | 24.10.2 | Link | TrueNAS doesn't use libexpat on untrusted XML. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. | CVE-2024-45817 | high | False Positive | 24.10.2 | Link | Do not run untrusted VM guests in TrueNAS. | |
liboath0 2.6.7-3.1 | pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. | CVE-2024-47191 | high | False Positive | 24.10.2 | Link | TrueNAS does not use vulnerable PAM config required for this vulnerability. | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-4741 | high | False Positive | 24.10.2 | Link | Vulnerable code not used in TrueNAS | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. | CVE-2024-47541 | high | False Positive | 24.10.2 | Link | Library not used in vulnerable specific configuration. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. | CVE-2024-47542 | high | False Positive | 24.10.2 | Link | Library not used in vulnerable specific configuration. | |
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 | GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10. | CVE-2024-47835 | high | False Positive | 24.10.2 | Link | Library not used in vulnerable specific configuration. | |
proftpd-core 1.3.8+dfsg-4+deb12u3 | In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. | CVE-2024-48651 | high | False Positive | 24.10.2 | Link | proftpd not used with mod_sql | |
iperf3 3.12-1+deb12u1 | iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. | CVE-2024-53580 | high | False Positive | 24.10.2 | Link | Requires iperf use; no escalation | |
python3-jinja2 3.1.2-1 | Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5. | CVE-2024-56201 | high | False Positive | 24.10.2 | Link | Requires attacker control of template | |
python3-jinja2 3.1.2-1 | Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. | CVE-2024-56326 | high | False Positive | 24.10.2 | Link | Requires attacker control of template | |
grub-common 2.99-9 | GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. | CVE-2024-56737 | high | False Positive | 24.10.2 | Link | Requires HFS use | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | CVE-2024-6119 | high | False Positive | 24.10.2 | Link | libssl not used for TLS client certificate checking | |
python3-pkg-resources 66.1.1-1 | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. | CVE-2024-6345 | high | False Positive | 24.10.2 | Link | setuptools not used at runtime | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. | CVE-2024-6519 | high | False Positive | 24.10.2 | Link | QEMU not used for LSI HBA emulation. | |
libnss3 2:3.87.1-1 | When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. | CVE-2024-6609 | high | False Positive | 24.10.2 | Link | Firefox and Thunderbird not available on system. | |
libgtk-3-0 3.24.38-2~deb12u1 | A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. | CVE-2024-6655 | high | False Positive | 24.10.2 | Link | GTK applications not reachable from TrueNAS internals. | |
libtiff6 4.5.0-6+deb12u1 | A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. | CVE-2024-7006 | high | False Positive | 24.10.2 | Link | libtiff not exposed to forced memory failures | |
libnbd0 1.14.2-1 | A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. | CVE-2024-7383 | high | False Positive | 24.10.2 | Link | libnbd not used in vulnerable fashion | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. | CVE-2024-7409 | high | False Positive | 24.10.2 | Link | qemu not used in vulnerable fashion | |
qemu-block-extra 1:7.2+dfsg-7+deb12u6 | A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. | CVE-2024-7730 | high | False Positive | 24.10.2 | Link | Do not run untrusted VM guests. | |
gitpython 3.1.30 | Untrusted search path under some conditions on Windows allows arbitrary code execution | GHSA-2mqj-m65w-jghx | high | False Positive | 24.10.2 | Link | Windows vulnerability. | |
cryptography 38.0.4 | Python Cryptography package vulnerable to Bleichenbacher timing oracle attack | GHSA-3ww4-gg4f-jr7f | high | False Positive | 24.10.2 | Link | Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys. | |
pillow 9.4.0 | Pillow buffer overflow vulnerability | GHSA-44wm-f244-xhp3 | high | False Positive | 24.10.2 | Link | Pillow not installed. | |
pillow 9.4.0 | Bundled libwebp in Pillow vulnerable | GHSA-56pw-mpj4-fxww | high | False Positive | 24.10.2 | Link | Pollow code not reachable for untrusted images. | |
aiohttp 3.8.5 | aiohttp is vulnerable to directory traversal | GHSA-5h86-8mv2-jq9f | high | False Positive | 24.10.2 | Link | aiohttp not used in vulnerable fashion | |
aiohttp 3.8.5 | aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests | GHSA-5m98-qgg9-wh84 | high | False Positive | 24.10.2 | Link | aiohttp not used for arbitrary POST requesrts. | |
cryptography 38.0.4 | cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override | GHSA-6vqw-3v5j-54x4 | high | False Positive | 24.10.2 | Link | cryptography not called with unmatching certs and keys. | |
pillow 9.4.0 | Pillow Denial of Service vulnerability | GHSA-8ghj-p4vj-mr35 | high | False Positive | 24.10.2 | Link | Pillow not used for arbitrary image processing. | |
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 | otelgrpc DoS vulnerability due to unbound cardinality metrics | GHSA-8pgv-569h-w5rw | high | False Positive | 24.10.2 | Link | DoS not reachable in TrueNAS code. | |
asyncssh 2.13.2 | AsyncSSH Rogue Session Attack | GHSA-c35q-ffpf-5qpm | high | False Positive | 24.10.2 | Link | asyncssh not used in vulnerable fashion | |
setuptools 66.1.1 | setuptools vulnerable to Command Injection via package URL | GHSA-cx63-2mw6-8hw5 | high | False Positive | 24.10.2 | Link | setuptools not used for untrusted packages. | |
pycryptodomex 3.11.0 | PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption | GHSA-j225-cvw7-qrx7 | high | False Positive | 24.10.2 | Link | OAEP decrytption not used internally in TrueNAS. | |
pillow 9.4.0 | libwebp: OOB write in BuildHuffmanTable | GHSA-j7hp-h8jx-5ppr | high | False Positive | 24.10.2 | Link | Pillow not used for untrusted image processing. | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability in the command line interface | GHSA-jrwr-5x3p-hvc3 | high | False Positive | 24.10.2 | Link | markdown not used in vulnerable fashion. | |
urllib3 1.26.12 | `Cookie` HTTP header isn't stripped on cross-origin redirects | GHSA-v845-jxx5-vc9f | high | False Positive | 24.10.2 | Link | urllib not used in vulnerable fashion | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability | GHSA-vrjv-mxr7-vjf8 | high | False Positive | 24.10.2 | Link | markdown not used in vulnerable fashion. | |
golang.org/x/net v0.17.0 | Non-linear parsing of case-insensitive content in golang.org/x/net/html | GHSA-w32m-9786-jp63 | high | False Positive | 24.10.2 | Link | Library not used in vulnerable fashion | |
gitpython 3.1.30 | GitPython untrusted search path on Windows systems leading to arbitrary code execution | GHSA-wfm5-v35h-vwf4 | high | False Positive | 24.10.2 | Link | Windows vulnerability. | |
cryptography 38.0.4 | Vulnerable OpenSSL included in cryptography wheels | GHSA-x4qr-2fvf-3mr5 | high | False Positive | 24.10.2 | Link | Not building from from supplied wheels. | |
certifi 2022.9.24 | Removal of e-Tugra root certificate | GHSA-xqr8-7jwr-rhp7 | high | False Positive | 24.10.2 | Link | External certificate issue. | |
dnsmasq-base 2.89-1 | The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. | CVE-2023-50868 | unknown | False Positive | 24.10.2 | Link | dnsmasq not used for DNSSEC in TrueNAS | |
stdlib go1.21.6 | If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. | CVE-2024-24785 | unknown | False Positive | 24.10.2 | Link | go stdlib not used to parse untrusted JSON | |
libssl3 3.0.13-1~deb12u2 | Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. | CVE-2024-2511 | unknown | False Positive | 24.10.2 | Link | Requires non-default TLS server config. | |
iperf3 3.12-1+deb12u1 | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. | CVE-2024-26306 | unknown | False Positive | 24.10.2 | Link | iperf3 server not used. | |
krb5-user 1.20.1-2+deb12u1 | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. | CVE-2024-26462 | unknown | False Positive | 24.10.2 | Link | Memory leak. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html | CVE-2024-31142 | unknown | False Positive | 24.10.2 | Link | Do not run untrusted guest VMs. | |
librados2 16.2.11+ds-2 | CVE-2024-48916 | unknown | False Positive | 24.10.2 | Link | Qemu dependency | ||
grub-common 2.99-9 | grub2 allowed attackers with access to the grub shell to access files on the encrypted disks. | CVE-2024-49504 | unknown | False Positive | 24.10.2 | Link | Grub shell not accessible | |
git 1:2.39.2-1.1 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. | CVE-2024-50349 | unknown | False Positive | 24.10.2 | Link | Git not used in vulnerable fashion | |
git 1:2.39.2-1.1 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. | CVE-2024-52006 | unknown | False Positive | 24.10.2 | Link | Git not used in vulnerable fashion | |
rclone 1.67.1 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2. | CVE-2024-52522 | unknown | False Positive | 24.10.2 | Link | rclone not used with --links and --metadata options | |
libc-bin 2.36-9+deb12u7 | When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. | CVE-2025-0395 | unknown | False Positive | 24.10.2 | Link | Unsafe assert messages not being used. | |
busybox 1.35.0 | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | CVE-2022-48174 | critical | False Positive | 25.04.0 | Link | TrueNAS does not make use of busybox in a way that can be reached by this exploit. | |
rsync 3.2.7-1 | A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. | CVE-2024-12084 | critical | False Positive | 25.04.0 | Link | rsync is not used in daemon mode within TrueNAS SCALE. | |
stdlib go1.21.6 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | CVE-2024-24790 | critical | False Positive | 25.04.0 | Link | TrueNAS doesn't use Go's stdlib for IPv6 IP address checks. | |
wget 1.21.3-1+b2 | url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. | CVE-2024-38428 | critical | False Positive | 25.04.0 | Link | wget is not used on untrusted URLs. | |
pillow 9.4.0 | Arbitrary Code Execution in Pillow | GHSA-3f63-hfp8-52jq | critical | False Positive | 25.04.0 | Link | Pillow code not reachable for arbitrary images. | |
gitpython 3.1.30 | GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments | GHSA-pr76-5cm5-w9cj | critical | False Positive | 25.04.0 | Link | TrueNAS doesn't use GitPython with untrusted git repos. | |
golang.org/x/crypto v0.17.0 | Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | GHSA-v778-237x-gjrc | critical | False Positive | 25.04.0 | Link | Functions not in use. | |
linux-kernel 6.12.15-debug+truenas | The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors. | CVE-2007-2764 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. | CVE-2008-4609 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd. | CVE-2016-3699 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264. | CVE-2017-6264 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. | CVE-2018-10902 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. | CVE-2018-14625 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. | CVE-2019-14899 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. | CVE-2020-16119 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. | CVE-2020-1749 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | CVE-2020-27815 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. | CVE-2021-20194 | high | False Positive | 25.04.0 | Link | ||
libopenjp2-7 2.5.0-2 | A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. | CVE-2021-3575 | high | False Positive | 25.04.0 | Link | TrueNAS does not use libopenjp for processing untrusted images. | |
linux-kernel 6.12.15-debug+truenas | A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges. | CVE-2021-3864 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos. | CVE-2022-0400 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero. | CVE-2022-1247 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 | CVE-2022-2327 | high | False Positive | 25.04.0 | Link | ||
busybox 1.35.0 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | CVE-2022-28391 | high | False Positive | 25.04.0 | Link | TrueNAS does not use BusyBox to run netstat. | |
busybox 1.35.0 | A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. | CVE-2022-30065 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. | CVE-2022-3534 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability. | CVE-2022-3566 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935. | CVE-2022-3636 | high | False Positive | 25.04.0 | Link | ||
firmware-amd-graphics 20240709-2~bpo12+1 | Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. | CVE-2022-38076 | high | False Positive | 25.04.0 | Link | WiFi firmware not used in TrueNAS. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u12 | An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | CVE-2022-3872 | high | False Positive | 25.04.0 | Link | Do not run untrusted guest VMs. | |
libgfapi0 10.3-5 | In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. | CVE-2022-48340 | high | False Positive | 25.04.0 | Link | Gluster FS not used internally. | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. | CVE-2022-49043 | high | False Positive | 25.04.0 | Link | Qemu dependency. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u12 | A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. | CVE-2023-1386 | high | False Positive | 25.04.0 | Link | Do not run untrusted guest VMs. | |
libharfbuzz0b 6.0.0+dfsg-3 | hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. | CVE-2023-25193 | high | False Positive | 25.04.0 | Link | TrueNAS is not using harfbuzz to display attacker chosen strings. | |
vim-common 2:9.0.1378-2 | Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. | CVE-2023-2610 | high | False Positive | 25.04.0 | Link | Only vulnerable if untrusted file is run in script mode. | |
ipmctl 03.00.00.0468-1 | Improper access control in some Intel(R) Optane(TM) PMem software before versions 01.00.00.3547, 02.00.00.3915, 03.00.00.0483 may allow an athenticated user to potentially enable escalation of privilege via local access. | CVE-2023-27517 | high | False Positive | 25.04.0 | Link | ||
curl 7.88.1 | A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. | CVE-2023-27533 | high | False Positive | 25.04.0 | Link | ||
curl 7.88.1 | A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. | CVE-2023-27534 | high | False Positive | 25.04.0 | Link | ||
curl 7.88.1 | A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. | CVE-2023-28319 | high | False Positive | 25.04.0 | Link | ||
python3-dnspython 2.3.0-1 | eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. | CVE-2023-29483 | high | False Positive | 25.04.0 | Link | TrueNAS does not use dnspython for arbitrary DNS resolution | |
libldap-2.5-0 2.5.13+dfsg-5 | A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. | CVE-2023-2953 | high | Low | 25.04.0 | Link | iX considers risk to be low. There are no known exploits of this null pointer bug. | |
linux-kernel 6.12.15-debug+truenas | Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | CVE-2023-3079 | high | False Positive | 25.04.0 | Link | ||
libperl5.36 5.36.0-7+deb12u1 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | CVE-2023-31484 | high | False Positive | 25.04.0 | Link | CPAN is not used in a vulnerable way. | |
sysstat 12.6.1-1 | sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. | CVE-2023-33204 | high | False Positive | 25.04.0 | Link | sysstat is not used in a vulnerable way. | |
intel-microcode 3.20241112.1~deb12u1 | Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2023-34440 | high | High | 25.04.0 | Link | Only applies to certain CPUs. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html | |
linux-kernel 6.12.15-debug+truenas | A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system. | CVE-2023-3640 | high | False Positive | 25.04.0 | Link | ||
curl 7.88.1 | When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. | CVE-2023-38039 | high | False Positive | 25.04.0 | Link | ||
busybox-static 1:1.35.0-4+b3 | An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | CVE-2023-39810 | high | False Positive | 25.04.0 | Link | Busybox not used for CPIO | |
sudo 1.9.13p3-1+deb12u1 | Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. | CVE-2023-42465 | high | Low | 25.04.0 | Link | Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS. | |
intel-microcode 3.20241112.1~deb12u1 | Improper input validation in UEFI firmware for some Intel(R) processors may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2023-43758 | high | High | 25.04.0 | Link | Only some CPUs are vulnerable Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html | |
nginx 1.22.1 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | CVE-2023-44487 | high | Low | 25.04.0 | Link | Do not expost your TrueNAS HTTP ports to the internet. | |
ovmf 2022.11-6+deb12u1 | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | CVE-2023-45236 | high | False Positive | 25.04.0 | Link | VM exploit: Do not run untrusted VMs on your TrueNAS. | |
ovmf 2022.11-6+deb12u1 | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | CVE-2023-45237 | high | False Positive | 25.04.0 | Link | VM exploit: Do not run untrusted VMs on your TrueNAS. | |
stdlib go1.21.6 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. | CVE-2023-45288 | high | False Positive | 25.04.0 | Link | Go's stdlib not used for serving HTTP. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. | CVE-2023-4738 | high | False Positive | 25.04.0 | Link | Requires obscure vim use. No known exploit. | |
vim-common 2:9.0.1378-2 | Use After Free in GitHub repository vim/vim prior to 9.0.1858. | CVE-2023-4752 | high | False Positive | 25.04.0 | Link | Requires vim use; no escalation | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. | CVE-2023-4781 | high | False Positive | 25.04.0 | Link | Requires vim use; no escalation | |
proftpd 1.3.8 | make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics. | CVE-2023-51713 | high | False Positive | 25.04.0 | Link | Original report not valid. | |
p7zip 16.02+dfsg-8 | The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. | CVE-2023-52168 | high | False Positive | 25.04.0 | Link | p7zip not used internally. | |
libtiff6 4.5.0-6+deb12u2 | An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. | CVE-2023-52355 | high | False Positive | 25.04.0 | Link | libtiff not used internally. | |
libexpat1 2.5.0-1+deb12u1 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | CVE-2023-52425 | high | False Positive | 25.04.0 | Link | Unreachable denial of service. | |
vim-common 2:9.0.1378-2 | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. | CVE-2023-5344 | high | False Positive | 25.04.0 | Link | Requires vim use; no escalation | |
linux-kernel 6.12.15-debug+truenas | A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. | CVE-2023-6270 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. | CVE-2023-6535 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. | CVE-2023-6610 | high | False Positive | 25.04.0 | Link | ||
bind9-dnsutils 1:9.18.28-1~deb12u2 | It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. | CVE-2024-11187 | high | False Positive | 25.04.0 | Link | ||
rsync 3.2.7-1 | A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. | CVE-2024-12085 | high | False Positive | 25.04.0 | Link | Rsync not used in daemon mode. | |
bind9-dnsutils 1:9.18.28-1~deb12u2 | Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. | CVE-2024-12705 | high | False Positive | 25.04.0 | Link | ||
vim-common 2:9.0.1378-2 | Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. | CVE-2024-22667 | high | False Positive | 25.04.0 | Link | Requires vim use; no escalation | |
curl 7.88.1 | When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. | CVE-2024-2398 | high | False Positive | 25.04.0 | Link | TrueNAS does not use libcurl in a vulnerable way. | |
intel-microcode 3.20241112.1~deb12u1 | Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access. | CVE-2024-24582 | high | False Positive | 25.04.0 | Link | ||
stdlib go1.21.6 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | CVE-2024-24784 | high | False Positive | 25.04.0 | Link | TrueNAS does not use ParseAddressList | |
stdlib go1.21.6 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. | CVE-2024-24791 | high | False Positive | 25.04.0 | Link | TrueNAS is not using net/http client. | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. | CVE-2024-25062 | high | False Positive | 25.04.0 | Link | TrueNAS is not processing XML from attackers. | |
intel-microcode 3.20241112.1~deb12u1 | Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-28127 | high | High | 25.04.0 | Link | Only some CPUs are vulnerable. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html | |
intel-microcode 3.20241112.1~deb12u1 | Improper input validation in UEFI firmware CseVariableStorageSmm for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | CVE-2024-29214 | high | High | 25.04.0 | Link | Only some CPUs are vulnerable. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html | CVE-2024-31142 | high | False Positive | 25.04.0 | Link | Do not run untrusted guest VMs. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. | CVE-2024-31143 | high | False Positive | 25.04.0 | Link | Don't run untrusted guests. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. | CVE-2024-31145 | high | False Positive | 25.04.0 | Link | Do not run untrusted guest VMs. | |
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. | CVE-2024-31146 | high | False Positive | 25.04.0 | Link | Do not run untrusted guest VMs. | |
libunbound8 1.17.1-2+deb12u2 | The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. | CVE-2024-33655 | high | False Positive | 25.04.0 | Link | DNS resolution not used in vulnerable fashion. | |
stdlib go1.21.6 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | CVE-2024-34156 | high | False Positive | 25.04.0 | Link | Decode not used. | |
stdlib go1.21.6 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | CVE-2024-34158 | high | False Positive | 25.04.0 | Link | Build time issue. | |
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded. | CVE-2024-38381 | high | False Positive | 25.04.0 | Link | ||
python 3.11.9 | The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. | CVE-2024-4032 | high | False Positive | 25.04.0 | Link | Address typing not relied upon for security issues. | |
grub-common 2.99-9 | A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass. | CVE-2024-45782 | high | False Positive | 25.04.0 | Link | ||
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. | CVE-2024-45817 | high | False Positive | 25.04.0 | Link | Do not run untrusted VM guests in TrueNAS. | |
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: drm/xe/tracing: Fix a potential TP_printk UAF The commit afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event. Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time. Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10. | CVE-2024-49570 | high | False Positive | 25.04.0 | Link | ||
jq 1.6 | decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits). | CVE-2024-53427 | high | False Positive | 25.04.0 | Link | ||
iperf3 3.12-1+deb12u1 | iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. | CVE-2024-53580 | high | False Positive | 25.04.0 | Link | Requires iperf use; no escalation | |
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: bsg: Set bsg_queue to NULL after removal Currently, this does not cause any issues, but I believe it is necessary to set bsg_queue to NULL after removing it to prevent potential use-after-free (UAF) access. | CVE-2024-54458 | high | False Positive | 25.04.0 | Link | ||
libxslt1.1 1.1.35-1 | xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. | CVE-2024-55549 | high | False Positive | 25.04.0 | Link | ||
amd64-microcode 3.20240820.1~deb12u1 | Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. | CVE-2024-56161 | high | High | 25.04.0 | Link | This issue is CPU dependent; check this URL for more information: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html | |
libxml2 2.9.14+dfsg-1.3~deb12u1 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. | CVE-2024-56171 | high | False Positive | 25.04.0 | Link | ||
grub-common 2.99-9 | GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. | CVE-2024-56737 | high | False Positive | 25.04.0 | Link | Requires HFS use | |
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario. Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 | CVE-2024-57995 | high | False Positive | 25.04.0 | Link | ||
python 3.11.9 | There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. | CVE-2024-6232 | high | False Positive | 25.04.0 | Link | libpython not used with regular expressions in tar file processing. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u12 | A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. | CVE-2024-6519 | high | False Positive | 25.04.0 | Link | QEMU not used for LSI HBA emulation. | |
libnbd0 1.14.2-1 | A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. | CVE-2024-7383 | high | False Positive | 25.04.0 | Link | libnbd not used in vulnerable fashion | |
python 3.11.9 | There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. | CVE-2024-7592 | high | False Positive | 25.04.0 | Link | CPython not used in vulnerable fashion. | |
qemu-block-extra 1:7.2+dfsg-7+deb12u12 | A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. | CVE-2024-7730 | high | False Positive | 25.04.0 | Link | Do not run untrusted VM guests. | |
python 3.11.9 | There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. | CVE-2024-8088 | high | False Positive | 25.04.0 | Link | zipfile code not used to parse untrusted zip files. | |
libexpat1 2.5.0-1+deb12u1 | A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. | CVE-2024-8176 | high | Low | 25.04.0 | Link | TrueNAS code doesn't use libexpat in an unsafe fashion. | |
python 3.11.9 | A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. | CVE-2024-9287 | high | False Positive | 25.04.0 | Link | ||
libc-bin 2.36-9+deb12u9 | When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. | CVE-2025-0395 | high | False Positive | 25.04.0 | Link | Unsafe assert messages not being used. | |
grub-common 2.99-9 | A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections. | CVE-2025-0624 | high | False Positive | 25.04.0 | Link | Network boot is not used. | |
grub-common 2.99-9 | A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections. | CVE-2025-0678 | high | False Positive | 25.04.0 | Link | TrueNAS does not boot untrusted file systems. | |
curl 7.88.1 | When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. | CVE-2025-0725 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, change error flow on matcher disconnect Currently, when firmware failure occurs during matcher disconnect flow, the error flow of the function reconnects the matcher back and returns an error, which continues running the calling function and eventually frees the matcher that is being disconnected. This leads to a case where we have a freed matcher on the matchers list, which in turn leads to use-after-free and eventual crash. This patch fixes that by not trying to reconnect the matcher back when some FW command fails during disconnect. Note that we're dealing here with FW error. We can't overcome this problem. This might lead to bad steering state (e.g. wrong connection between matchers), and will also lead to resource leakage, as it is the case with any other error handling during resource destruction. However, the goal here is to allow the driver to continue and not crash the machine with use-after-free error. | CVE-2025-21751 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e | CVE-2025-21756 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. | CVE-2025-21759 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. | CVE-2025-21760 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF. | CVE-2025-21761 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. | CVE-2025-21762 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. | CVE-2025-21763 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. | CVE-2025-21764 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. | CVE-2025-21782 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). | CVE-2025-21785 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool. | CVE-2025-21786 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. | CVE-2025-21791 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad | CVE-2025-21794 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered. | CVE-2025-21796 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== | CVE-2025-21855 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set. | CVE-2025-21856 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated--- | CVE-2025-21858 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. | CVE-2025-21863 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 | CVE-2025-21867 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> | CVE-2025-21887 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: keys: Fix UAF in key_put() Once a key's reference count has been reduced to 0, the garbage collector thread may destroy it at any time and so key_put() is not allowed to touch the key after that point. The most key_put() is normally allowed to do is to touch key_gc_work as that's a static global variable. However, in an effort to speed up the reclamation of quota, this is now done in key_put() once the key's usage is reduced to 0 - but now the code is looking at the key after the deadline, which is forbidden. Fix this by using a flag to indicate that a key can be gc'd now rather than looking at the key's refcount in the garbage collector. | CVE-2025-21893 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes. | CVE-2025-21919 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. | CVE-2025-21920 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. | CVE-2025-21927 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed. | CVE-2025-21928 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit(). | CVE-2025-21929 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. | CVE-2025-21934 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_lock If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine. | CVE-2025-21945 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init | CVE-2025-21966 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. | CVE-2025-21967 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) | CVE-2025-21968 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- | CVE-2025-21969 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy. | CVE-2025-21979 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ] | CVE-2025-21991 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. | CVE-2025-21993 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path] | CVE-2025-21999 | high | False Positive | 25.04.0 | Link | ||
linux-kernel 6.12.15-debug+truenas | In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. | CVE-2025-22004 | high | False Positive | 25.04.0 | Link | ||
libxslt1.1 1.1.35-1 | numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. | CVE-2025-24855 | high | False Positive | 25.04.0 | Link | ||
libxml2 2.9.14+dfsg-1.3~deb12u1 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. | CVE-2025-24928 | high | False Positive | 25.04.0 | Link | ||
libxml2 2.9.14+dfsg-1.3~deb12u1 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. | CVE-2025-27113 | high | False Positive | 25.04.0 | Link | ||
libfreetype6 2.12.1+dfsg-5+deb12u3 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. | CVE-2025-27363 | high | False Positive | 25.04.0 | Link | ||
exim4-base 4.96-15+deb12u6 | A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. | CVE-2025-30232 | high | False Positive | 25.04.0 | Link | ||
liblzma5 5.4.1-0.2 | XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. | CVE-2025-31115 | high | False Positive | 25.04.0 | Link | ||
gitpython 3.1.30 | Untrusted search path under some conditions on Windows allows arbitrary code execution | GHSA-2mqj-m65w-jghx | high | False Positive | 25.04.0 | Link | Windows vulnerability. | |
pillow 9.4.0 | Pillow buffer overflow vulnerability | GHSA-44wm-f244-xhp3 | high | False Positive | 25.04.0 | Link | Pillow not installed. | |
pillow 9.4.0 | Bundled libwebp in Pillow vulnerable | GHSA-56pw-mpj4-fxww | high | False Positive | 25.04.0 | Link | Pollow code not reachable for untrusted images. | |
pillow 9.4.0 | Pillow Denial of Service vulnerability | GHSA-8ghj-p4vj-mr35 | high | False Positive | 25.04.0 | Link | Pillow not used for arbitrary image processing. | |
asyncssh 2.10.1 | AsyncSSH Rogue Session Attack | GHSA-c35q-ffpf-5qpm | high | False Positive | 25.04.0 | Link | asyncssh not used in vulnerable fashion | |
setuptools 66.1.1 | setuptools vulnerable to Command Injection via package URL | GHSA-cx63-2mw6-8hw5 | high | False Positive | 25.04.0 | Link | setuptools not used for untrusted packages. | |
golang.org/x/crypto v0.17.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange | GHSA-hcg3-q754-cr77 | high | False Positive | 25.04.0 | Link | ||
pycryptodomex 3.11.0 | PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption | GHSA-j225-cvw7-qrx7 | high | False Positive | 25.04.0 | Link | OAEP decrytption not used internally in TrueNAS. | |
pillow 9.4.0 | libwebp: OOB write in BuildHuffmanTable | GHSA-j7hp-h8jx-5ppr | high | False Positive | 25.04.0 | Link | Pillow not used for untrusted image processing. | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability in the command line interface | GHSA-jrwr-5x3p-hvc3 | high | False Positive | 25.04.0 | Link | markdown not used in vulnerable fashion. | |
github.com/golang-jwt/jwt/v4 v4.5.0 | jwt-go allows excessive memory allocation during header parsing | GHSA-mh63-6h87-95cp | high | False Positive | 25.04.0 | Link | ||
urllib3 1.26.12 | `Cookie` HTTP header isn't stripped on cross-origin redirects | GHSA-v845-jxx5-vc9f | high | False Positive | 25.04.0 | Link | urllib not used in vulnerable fashion | |
markdown-it-py 2.1.0 | markdown-it-py Denial of Service vulnerability | GHSA-vrjv-mxr7-vjf8 | high | False Positive | 25.04.0 | Link | markdown not used in vulnerable fashion. | |
gitpython 3.1.30 | GitPython untrusted search path on Windows systems leading to arbitrary code execution | GHSA-wfm5-v35h-vwf4 | high | False Positive | 25.04.0 | Link | Windows vulnerability. | |
certifi 2022.9.24 | Removal of e-Tugra root certificate | GHSA-xqr8-7jwr-rhp7 | high | False Positive | 25.04.0 | Link | External certificate issue. | |
libperl5.36 5.36.0-7+deb12u1 | A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. | CVE-2024-56406 | unknown | False Positive | 25.04.0 | Link | ||
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 | CVE-2025-1713 | unknown | False Positive | 25.04.0 | Link | |||
stdlib go1.21.6 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | CVE-2025-22871 | unknown | False Positive | 25.04.0 | Link | ||
krb5-user 1.20.1-2+deb12u2 | CVE-2025-24528 | unknown | False Positive | 25.04.0 | Link | |||
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | M30 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | M40 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | M50 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | M60 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R10 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R20 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R20A | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R20B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R40 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R50 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R50B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
BMC IPMI firmware | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. | CVE-2013-4786 | High | Low | R50BM | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R10 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R10 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R10 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R10 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R10 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R10 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R10 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R20 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R20 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R20 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R20 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R20 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R20 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R20 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R20A | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R20A | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R20A | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R20A | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R20A | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R20A | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R20A | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R40 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R40 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R40 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R40 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R40 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R40 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R40 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R50 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R50 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R50 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R50 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R50 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R50 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (1.71.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R50 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R20B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R20B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R20B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R20B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R20B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R20B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R20B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R50B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R50B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R50B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R50B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R50B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R50B | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R50B | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | R50BM | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | R50BM | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | R50BM | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | R50BM | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | R50BM | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | R50BM | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | R50BM | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | M30 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | M30 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | M30 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | M30 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | M30 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | M30 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | M30 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | M40 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | M40 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | M40 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | M40 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | M40 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | M40 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | M40 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | M50 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | M50 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | M50 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | M50 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | M50 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | M50 (G1/G2/G3) | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | M50 (G1/G2/G3) | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. | CVE-2023-40289 | False Positive | False Positive | M60 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40284 | False Positive | False Positive | M60 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40287 | High | Low | M60 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. | CVE-2023-40288 | High | Low | M60 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. | CVE-2023-40290 | False Positive | False Positive | M60 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40285 | False Positive | False Positive | M60 | N/A | Link | N/A to iX custom FW |
Supermicro BMC IPMI firmware (6.74.11) | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. | CVE-2023-40286 | High | Low | M60 | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25636 | High | Low | Mini E | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25636 | High | Low | Mini E+ | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25636 | High | Low | Mini X | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25637 | High | Low | Mini E | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25637 | High | Low | Mini E+ | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25637 | High | Low | Mini X | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25638 | High | Low | Mini E | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25638 | High | Low | Mini E+ | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
ASRock IPMI | Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. | ZDI-CAN-25638 | High | Low | Mini X | Not yet resolved | Link | As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |